How can I create a custom approval_admin role only for the Change Table

DBrown · ‎06-28-2019

Issue:

Certain change managers have been known to abuse the approval_admin role to approve requests outside of the Change table, and definitely outside of their role as Change Manager. Despite having Self-Service Delegate creation in our Catalog, Approvals are sometimes needed to push changes through when Approvers are not in-office.

Request:

Is it possible to create a custom role that has similar privileges as approval_admin, but only applies to the Change approvals?

I'm aware that an ACL is necessary to accomplish this request. However, when creating the ACL, I'm not sure what restrictions need to be in place before it will work properly.

Narendra Kota · ‎07-05-2019

Hi,

Yes, you can create a new custom_approval_admin role by going to the Roles table. After it's submitted, in the related list you'll find Contains Roles, there you can put approval_admin role, and it would act similar to standard approval_admin role. In case, you need to define privileges for this new role on certain tables, you can configure ACL's for it.

Hope this helps.
Please mark helpful or correct based on impact.

Thanks.

View solution in original post

Narendra Kota · ‎07-05-2019

Hi,

Yes, you can create a new custom_approval_admin role by going to the Roles table. After it's submitted, in the related list you'll find Contains Roles, there you can put approval_admin role, and it would act similar to standard approval_admin role. In case, you need to define privileges for this new role on certain tables, you can configure ACL's for it.

Hope this helps.
Please mark helpful or correct based on impact.

Thanks.

DBrown · ‎07-05-2019

Hi Narendra,

Thank you for the response. I've tried doing as you suggested, and though it did allow a user with the new custom role to approve Change Request approvals, it is still also allowing them to approve RITM approvals as well. This second part is what I'm trying to restrict. You mentioned adding ACLs to other tables, but I'm not sure if that would affect other roles, or the itil role in general. Could you or anyone else provide more insight as to how I would accomplish my goal?

Narendra Kota · ‎07-05-2019

Hi,

If you're creating an ACL to restrict custom_approval_admin to only approve change request and not CR, that won't affect any other places in the instances or the itil roles in general. You could try it.

Hope this helps.
Please mark helpful or correct based on impact.

Thanks.

Melissa Berry · ‎05-12-2022

I have created a custom role and a new ACL below to restrict the approvals to Change Requests, but the user with the role is still unable to approve the Change Request. I also added it to the role list instead of in the script and user is still unable to approve. Any suggestions?

When they try to right click and approve they get this popup.